Reporting

SEDCMD in props.conf

irwinj_125
Explorer

Hello,

In the Splunk GUI/Interface, I filter into the following commands to remove some unwanted data from being displayed:

| rex mode=sed field=_raw "s/ example: .+?( from |$)/ example: select from /g"
| rex mode=sed field=_raw "s/ in \(.+?\) / in (...) /g"

How would I apply this to props.conf in my forwarder (or is there a better option i.e. transforms.conf)?  I tried the following but did not seem to work for me. 

[XX]
SEDCMD-first = s/ example: .+?( from |$)/ example: select from /g
SEDCMD-second = s/ in \(.+?\) / in (...) /g
force_local_processing = true

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @irwinj_125,

It is better doing these replacements on your indexers without force_local_processing=true.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

irwinj_125
Explorer

Thanks!

Yes my goal here is just to get the SEDCMD working, if I can do that I will disable local processing and set up on the indexer instead.  Doing this locally allows me to test without having to re-start the indexer, which would affect all my forwarders (at least that's my thinking).

 

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...